Play interactive tour

Edit tour

Analysis Report Y88576645635_03112021.PDF.exe

Overview

General Information

Sample Name:	Y88576645635_03112021.PDF.exe
Analysis ID:	367711
MD5:	4f0fdcac715b3d952ffab9e7d3ee86ac
SHA1:	1079108984d0587302e2576c6e72c18a1021154b
SHA256:	047d3bebe340180add07832e734233f7aa762de34f1eca2b5059d48a2daca6bc
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Y88576645635_03112021.PDF.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe' MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

Y88576645635_03112021.PDF.exe (PID: 244 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

Y88576645635_03112021.PDF.exe (PID: 3436 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

Y88576645635_03112021.PDF.exe (PID: 6596 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

Y88576645635_03112021.PDF.exe (PID: 5912 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

Y88576645635_03112021.PDF.exe (PID: 6316 cmdline: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe MD5: 4F0FDCAC715B3D952FFAB9E7D3EE86AC)

vbc.exe (PID: 6896 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.908387169.0000000008090000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b719:$key: HawkEyeKeylogger 0x7d917:$salt: 099u787978786 0x7bd32:$string1: HawkEye_Keylogger 0x7cb85:$string1: HawkEye_Keylogger 0x7d877:$string1: HawkEye_Keylogger 0x7c11b:$string2: holdermail.txt 0x7c13b:$string2: holdermail.txt 0x7c05d:$string3: wallet.dat 0x7c075:$string3: wallet.dat 0x7c08b:$string3: wallet.dat 0x7d459:$string4: Keylog Records 0x7d771:$string4: Keylog Records 0x7d96f:$string5: do not script --> 0x7b701:$string6: \pidloc.txt 0x7b767:$string7: BSPLIT 0x7b777:$string7: BSPLIT
00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd8a:$hawkstr1: HawkEye Keylogger 0x7cbcb:$hawkstr1: HawkEye Keylogger 0x7cefa:$hawkstr1: HawkEye Keylogger 0x7d055:$hawkstr1: HawkEye Keylogger 0x7d1b8:$hawkstr1: HawkEye Keylogger 0x7d431:$hawkstr1: HawkEye Keylogger 0x7b918:$hawkstr2: Dear HawkEye Customers! 0x7cf4d:$hawkstr2: Dear HawkEye Customers! 0x7d0a4:$hawkstr2: Dear HawkEye Customers! 0x7d20b:$hawkstr2: Dear HawkEye Customers! 0x7ba39:$hawkstr3: HawkEye Logger Details:
0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.696473559.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.904321418.0000000003991000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000006.00000002.904321418.0000000003991000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.650605072.0000000002B31000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.908411308.00000000081F0000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x38520:$hawkstr1: HawkEye Keylogger 0x3b1c0:$hawkstr1: HawkEye Keylogger 0x3b540:$hawkstr1: HawkEye Keylogger 0x3dfec:$hawkstr1: HawkEye Keylogger 0x37fd8:$hawkstr2: Dear HawkEye Customers! 0x3b220:$hawkstr2: Dear HawkEye Customers! 0x3b5a0:$hawkstr2: Dear HawkEye Customers! 0x38106:$hawkstr3: HawkEye Logger Details:
00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x537929:$key: HawkEyeKeylogger 0x5b9949:$key: HawkEyeKeylogger 0x539b27:$salt: 099u787978786 0x5bbb47:$salt: 099u787978786 0x537f42:$string1: HawkEye_Keylogger 0x538d95:$string1: HawkEye_Keylogger 0x539a87:$string1: HawkEye_Keylogger 0x5b9f62:$string1: HawkEye_Keylogger 0x5badb5:$string1: HawkEye_Keylogger 0x5bbaa7:$string1: HawkEye_Keylogger 0x53832b:$string2: holdermail.txt 0x53834b:$string2: holdermail.txt 0x5ba34b:$string2: holdermail.txt 0x5ba36b:$string2: holdermail.txt 0x53826d:$string3: wallet.dat 0x538285:$string3: wallet.dat 0x53829b:$string3: wallet.dat 0x5ba28d:$string3: wallet.dat 0x5ba2a5:$string3: wallet.dat 0x5ba2bb:$string3: wallet.dat 0x539669:$string4: Keylog Records
00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x537f9a:$hawkstr1: HawkEye Keylogger 0x538ddb:$hawkstr1: HawkEye Keylogger 0x53910a:$hawkstr1: HawkEye Keylogger 0x539265:$hawkstr1: HawkEye Keylogger 0x5393c8:$hawkstr1: HawkEye Keylogger 0x539641:$hawkstr1: HawkEye Keylogger 0x5b9fba:$hawkstr1: HawkEye Keylogger 0x5badfb:$hawkstr1: HawkEye Keylogger 0x5bb12a:$hawkstr1: HawkEye Keylogger 0x5bb285:$hawkstr1: HawkEye Keylogger 0x5bb3e8:$hawkstr1: HawkEye Keylogger 0x5bb661:$hawkstr1: HawkEye Keylogger 0x537b28:$hawkstr2: Dear HawkEye Customers! 0x53915d:$hawkstr2: Dear HawkEye Customers! 0x5392b4:$hawkstr2: Dear HawkEye Customers! 0x53941b:$hawkstr2: Dear HawkEye Customers! 0x5b9b48:$hawkstr2: Dear HawkEye Customers! 0x5bb17d:$hawkstr2: Dear HawkEye Customers! 0x5bb2d4:$hawkstr2: Dear HawkEye Customers! 0x5bb43b:$hawkstr2: Dear HawkEye Customers! 0x537c49:$hawkstr3: HawkEye Logger Details:
Process Memory Space: vbc.exe PID: 6880	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 6896	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Y88576645635_03112021.PDF.exe PID: 7100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6316	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6316	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6316	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Y88576645635_03112021.PDF.exe.39b1b50.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.8090000.11.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.2.Y88576645635_03112021.PDF.exe.81f0000.12.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dca7:$key: HawkEyeKeylogger 0x1fea5:$salt: 099u787978786 0x1e2c0:$string1: HawkEye_Keylogger 0x1f113:$string1: HawkEye_Keylogger 0x1fe05:$string1: HawkEye_Keylogger 0x1e6a9:$string2: holdermail.txt 0x1e6c9:$string2: holdermail.txt 0x1e5eb:$string3: wallet.dat 0x1e603:$string3: wallet.dat 0x1e619:$string3: wallet.dat 0x1f9e7:$string4: Keylog Records 0x1fcff:$string4: Keylog Records 0x1fefd:$string5: do not script --> 0x1dc8f:$string6: \pidloc.txt 0x1dcf5:$string7: BSPLIT 0x1dd05:$string7: BSPLIT
6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e318:$hawkstr1: HawkEye Keylogger 0x1f159:$hawkstr1: HawkEye Keylogger 0x1f488:$hawkstr1: HawkEye Keylogger 0x1f5e3:$hawkstr1: HawkEye Keylogger 0x1f746:$hawkstr1: HawkEye Keylogger 0x1f9bf:$hawkstr1: HawkEye Keylogger 0x1dea6:$hawkstr2: Dear HawkEye Customers! 0x1f4db:$hawkstr2: Dear HawkEye Customers! 0x1f632:$hawkstr2: Dear HawkEye Customers! 0x1f799:$hawkstr2: Dear HawkEye Customers! 0x1dfc7:$hawkstr3: HawkEye Logger Details:
10.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
11.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.3999930.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.3999930.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.Y88576645635_03112021.PDF.exe.2fe4d90.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x75511:$key: HawkEyeKeylogger 0x7770f:$salt: 099u787978786 0x75b2a:$string1: HawkEye_Keylogger 0x7697d:$string1: HawkEye_Keylogger 0x7766f:$string1: HawkEye_Keylogger 0x75f13:$string2: holdermail.txt 0x75f33:$string2: holdermail.txt 0x75e55:$string3: wallet.dat 0x75e6d:$string3: wallet.dat 0x75e83:$string3: wallet.dat 0x77251:$string4: Keylog Records 0x77569:$string4: Keylog Records 0x77767:$string5: do not script --> 0x754f9:$string6: \pidloc.txt 0x7555f:$string7: BSPLIT 0x7556f:$string7: BSPLIT
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b82:$hawkstr1: HawkEye Keylogger 0x769c3:$hawkstr1: HawkEye Keylogger 0x76cf2:$hawkstr1: HawkEye Keylogger 0x76e4d:$hawkstr1: HawkEye Keylogger 0x76fb0:$hawkstr1: HawkEye Keylogger 0x77229:$hawkstr1: HawkEye Keylogger 0x75710:$hawkstr2: Dear HawkEye Customers! 0x76d45:$hawkstr2: Dear HawkEye Customers! 0x76e9c:$hawkstr2: Dear HawkEye Customers! 0x77003:$hawkstr2: Dear HawkEye Customers! 0x75831:$hawkstr3: HawkEye Logger Details:
6.2.Y88576645635_03112021.PDF.exe.39b1b50.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.2.Y88576645635_03112021.PDF.exe.2b625e8.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
6.2.Y88576645635_03112021.PDF.exe.45fa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.3999930.7.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79b19:$key: HawkEyeKeylogger 0x7bd17:$salt: 099u787978786 0x7a132:$string1: HawkEye_Keylogger 0x7af85:$string1: HawkEye_Keylogger 0x7bc77:$string1: HawkEye_Keylogger 0x7a51b:$string2: holdermail.txt 0x7a53b:$string2: holdermail.txt 0x7a45d:$string3: wallet.dat 0x7a475:$string3: wallet.dat 0x7a48b:$string3: wallet.dat 0x7b859:$string4: Keylog Records 0x7bb71:$string4: Keylog Records 0x7bd6f:$string5: do not script --> 0x79b01:$string6: \pidloc.txt 0x79b67:$string7: BSPLIT 0x79b77:$string7: BSPLIT
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a18a:$hawkstr1: HawkEye Keylogger 0x7afcb:$hawkstr1: HawkEye Keylogger 0x7b2fa:$hawkstr1: HawkEye Keylogger 0x7b455:$hawkstr1: HawkEye Keylogger 0x7b5b8:$hawkstr1: HawkEye Keylogger 0x7b831:$hawkstr1: HawkEye Keylogger 0x79d18:$hawkstr2: Dear HawkEye Customers! 0x7b34d:$hawkstr2: Dear HawkEye Customers! 0x7b4a4:$hawkstr2: Dear HawkEye Customers! 0x7b60b:$hawkstr2: Dear HawkEye Customers! 0x79e39:$hawkstr3: HawkEye Logger Details:
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b919:$key: HawkEyeKeylogger 0x7db17:$salt: 099u787978786 0x7bf32:$string1: HawkEye_Keylogger 0x7cd85:$string1: HawkEye_Keylogger 0x7da77:$string1: HawkEye_Keylogger 0x7c31b:$string2: holdermail.txt 0x7c33b:$string2: holdermail.txt 0x7c25d:$string3: wallet.dat 0x7c275:$string3: wallet.dat 0x7c28b:$string3: wallet.dat 0x7d659:$string4: Keylog Records 0x7d971:$string4: Keylog Records 0x7db6f:$string5: do not script --> 0x7b901:$string6: \pidloc.txt 0x7b967:$string7: BSPLIT 0x7b977:$string7: BSPLIT
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf8a:$hawkstr1: HawkEye Keylogger 0x7cdcb:$hawkstr1: HawkEye Keylogger 0x7d0fa:$hawkstr1: HawkEye Keylogger 0x7d255:$hawkstr1: HawkEye Keylogger 0x7d3b8:$hawkstr1: HawkEye Keylogger 0x7d631:$hawkstr1: HawkEye Keylogger 0x7bb18:$hawkstr2: Dear HawkEye Customers! 0x7d14d:$hawkstr2: Dear HawkEye Customers! 0x7d2a4:$hawkstr2: Dear HawkEye Customers! 0x7d40b:$hawkstr2: Dear HawkEye Customers! 0x7bc39:$hawkstr3: HawkEye Logger Details:
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73b0c:$key: HawkEyeKeylogger 0x75d0a:$salt: 099u787978786 0x74125:$string1: HawkEye_Keylogger 0x74f78:$string1: HawkEye_Keylogger 0x75c6a:$string1: HawkEye_Keylogger 0x7450e:$string2: holdermail.txt 0x7452e:$string2: holdermail.txt 0x74450:$string3: wallet.dat 0x74468:$string3: wallet.dat 0x7447e:$string3: wallet.dat 0x7584c:$string4: Keylog Records 0x75b64:$string4: Keylog Records 0x75d62:$string5: do not script --> 0x73af4:$string6: \pidloc.txt 0x73b5a:$string7: BSPLIT 0x73b6a:$string7: BSPLIT
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7417d:$hawkstr1: HawkEye Keylogger 0x74fbe:$hawkstr1: HawkEye Keylogger 0x752ed:$hawkstr1: HawkEye Keylogger 0x75448:$hawkstr1: HawkEye Keylogger 0x755ab:$hawkstr1: HawkEye Keylogger 0x75824:$hawkstr1: HawkEye Keylogger 0x73d0b:$hawkstr2: Dear HawkEye Customers! 0x75340:$hawkstr2: Dear HawkEye Customers! 0x75497:$hawkstr2: Dear HawkEye Customers! 0x755fe:$hawkstr2: Dear HawkEye Customers! 0x73e2c:$hawkstr3: HawkEye Logger Details:
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x1cbea3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x24dec3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x240399:$key: HawkEyeKeylogger 0x2c23b9:$key: HawkEyeKeylogger 0x242597:$salt: 099u787978786 0x2c45b7:$salt: 099u787978786 0x2409b2:$string1: HawkEye_Keylogger 0x241805:$string1: HawkEye_Keylogger 0x2424f7:$string1: HawkEye_Keylogger 0x2c29d2:$string1: HawkEye_Keylogger 0x2c3825:$string1: HawkEye_Keylogger 0x2c4517:$string1: HawkEye_Keylogger 0x240d9b:$string2: holdermail.txt 0x240dbb:$string2: holdermail.txt 0x2c2dbb:$string2: holdermail.txt 0x2c2ddb:$string2: holdermail.txt 0x240cdd:$string3: wallet.dat 0x240cf5:$string3: wallet.dat 0x240d0b:$string3: wallet.dat 0x2c2cfd:$string3: wallet.dat 0x2c2d15:$string3: wallet.dat 0x2c2d2b:$string3: wallet.dat 0x2420d9:$string4: Keylog Records
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x240a0a:$hawkstr1: HawkEye Keylogger 0x24184b:$hawkstr1: HawkEye Keylogger 0x241b7a:$hawkstr1: HawkEye Keylogger 0x241cd5:$hawkstr1: HawkEye Keylogger 0x241e38:$hawkstr1: HawkEye Keylogger 0x2420b1:$hawkstr1: HawkEye Keylogger 0x2c2a2a:$hawkstr1: HawkEye Keylogger 0x2c386b:$hawkstr1: HawkEye Keylogger 0x2c3b9a:$hawkstr1: HawkEye Keylogger 0x2c3cf5:$hawkstr1: HawkEye Keylogger 0x2c3e58:$hawkstr1: HawkEye Keylogger 0x2c40d1:$hawkstr1: HawkEye Keylogger 0x240598:$hawkstr2: Dear HawkEye Customers! 0x241bcd:$hawkstr2: Dear HawkEye Customers! 0x241d24:$hawkstr2: Dear HawkEye Customers! 0x241e8b:$hawkstr2: Dear HawkEye Customers! 0x2c25b8:$hawkstr2: Dear HawkEye Customers! 0x2c3bed:$hawkstr2: Dear HawkEye Customers! 0x2c3d44:$hawkstr2: Dear HawkEye Customers! 0x2c3eab:$hawkstr2: Dear HawkEye Customers! 0x2406b9:$hawkstr3: HawkEye Logger Details:
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89443:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b919:$key: HawkEyeKeylogger 0xfd939:$key: HawkEyeKeylogger 0x7db17:$salt: 099u787978786 0xffb37:$salt: 099u787978786 0x7bf32:$string1: HawkEye_Keylogger 0x7cd85:$string1: HawkEye_Keylogger 0x7da77:$string1: HawkEye_Keylogger 0xfdf52:$string1: HawkEye_Keylogger 0xfeda5:$string1: HawkEye_Keylogger 0xffa97:$string1: HawkEye_Keylogger 0x7c31b:$string2: holdermail.txt 0x7c33b:$string2: holdermail.txt 0xfe33b:$string2: holdermail.txt 0xfe35b:$string2: holdermail.txt 0x7c25d:$string3: wallet.dat 0x7c275:$string3: wallet.dat 0x7c28b:$string3: wallet.dat 0xfe27d:$string3: wallet.dat 0xfe295:$string3: wallet.dat 0xfe2ab:$string3: wallet.dat 0x7d659:$string4: Keylog Records
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf8a:$hawkstr1: HawkEye Keylogger 0x7cdcb:$hawkstr1: HawkEye Keylogger 0x7d0fa:$hawkstr1: HawkEye Keylogger 0x7d255:$hawkstr1: HawkEye Keylogger 0x7d3b8:$hawkstr1: HawkEye Keylogger 0x7d631:$hawkstr1: HawkEye Keylogger 0xfdfaa:$hawkstr1: HawkEye Keylogger 0xfedeb:$hawkstr1: HawkEye Keylogger 0xff11a:$hawkstr1: HawkEye Keylogger 0xff275:$hawkstr1: HawkEye Keylogger 0xff3d8:$hawkstr1: HawkEye Keylogger 0xff651:$hawkstr1: HawkEye Keylogger 0x7bb18:$hawkstr2: Dear HawkEye Customers! 0x7d14d:$hawkstr2: Dear HawkEye Customers! 0x7d2a4:$hawkstr2: Dear HawkEye Customers! 0x7d40b:$hawkstr2: Dear HawkEye Customers! 0xfdb38:$hawkstr2: Dear HawkEye Customers! 0xff16d:$hawkstr2: Dear HawkEye Customers! 0xff2c4:$hawkstr2: Dear HawkEye Customers! 0xff42b:$hawkstr2: Dear HawkEye Customers! 0x7bc39:$hawkstr3: HawkEye Logger Details:
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x408303:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x48a323:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x47c7f9:$key: HawkEyeKeylogger 0x4fe819:$key: HawkEyeKeylogger 0x47e9f7:$salt: 099u787978786 0x500a17:$salt: 099u787978786 0x47ce12:$string1: HawkEye_Keylogger 0x47dc65:$string1: HawkEye_Keylogger 0x47e957:$string1: HawkEye_Keylogger 0x4fee32:$string1: HawkEye_Keylogger 0x4ffc85:$string1: HawkEye_Keylogger 0x500977:$string1: HawkEye_Keylogger 0x47d1fb:$string2: holdermail.txt 0x47d21b:$string2: holdermail.txt 0x4ff21b:$string2: holdermail.txt 0x4ff23b:$string2: holdermail.txt 0x47d13d:$string3: wallet.dat 0x47d155:$string3: wallet.dat 0x47d16b:$string3: wallet.dat 0x4ff15d:$string3: wallet.dat 0x4ff175:$string3: wallet.dat 0x4ff18b:$string3: wallet.dat 0x47e539:$string4: Keylog Records
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x47ce6a:$hawkstr1: HawkEye Keylogger 0x47dcab:$hawkstr1: HawkEye Keylogger 0x47dfda:$hawkstr1: HawkEye Keylogger 0x47e135:$hawkstr1: HawkEye Keylogger 0x47e298:$hawkstr1: HawkEye Keylogger 0x47e511:$hawkstr1: HawkEye Keylogger 0x4fee8a:$hawkstr1: HawkEye Keylogger 0x4ffccb:$hawkstr1: HawkEye Keylogger 0x4ffffa:$hawkstr1: HawkEye Keylogger 0x500155:$hawkstr1: HawkEye Keylogger 0x5002b8:$hawkstr1: HawkEye Keylogger 0x500531:$hawkstr1: HawkEye Keylogger 0x47c9f8:$hawkstr2: Dear HawkEye Customers! 0x47e02d:$hawkstr2: Dear HawkEye Customers! 0x47e184:$hawkstr2: Dear HawkEye Customers! 0x47e2eb:$hawkstr2: Dear HawkEye Customers! 0x4fea18:$hawkstr2: Dear HawkEye Customers! 0x50004d:$hawkstr2: Dear HawkEye Customers! 0x5001a4:$hawkstr2: Dear HawkEye Customers! 0x50030b:$hawkstr2: Dear HawkEye Customers! 0x47cb19:$hawkstr3: HawkEye Logger Details:
6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x14fa3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xe224:$hawkstr1: HawkEye Keylogger 0x10ec4:$hawkstr1: HawkEye Keylogger 0x11244:$hawkstr1: HawkEye Keylogger 0x13cf0:$hawkstr1: HawkEye Keylogger 0xdcdc:$hawkstr2: Dear HawkEye Customers! 0x10f24:$hawkstr2: Dear HawkEye Customers! 0x112a4:$hawkstr2: Dear HawkEye Customers! 0xde0a:$hawkstr3: HawkEye Logger Details:
6.2.Y88576645635_03112021.PDF.exe.29cf284.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
Click to see the 59 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, CommandLine: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, NewProcessName: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe' , ParentImage: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ParentProcessId: 7100, ProcessCommandLine: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe, ProcessId: 244

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Y88576645635_03112021.PDF.exe

Avira: detected

Found malware configuration

Show sources

Source: vbc.exe.6880.11.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for submitted file

Show sources

Source: Y88576645635_03112021.PDF.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Show sources

Source: Y88576645635_03112021.PDF.exe

Joe Sandbox ML: detected

Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack	Avira: Label: TR/Inject.vcoldi

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe

Unpacked PE file: 0.2.Y88576645635_03112021.PDF.exe.610000.0.unpack

Source: Y88576645635_03112021.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Y88576645635_03112021.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe

Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 10_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	10_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	11_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 11_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	11_2_00407E0E

Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_077DFEE3
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_07E00326
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_07E0018F

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49749 -> 103.27.200.199:21

Source: global traffic

TCP traffic: 192.168.2.4:49750 -> 103.27.200.199:35996

Source: Joe Sandbox View

IP Address: 103.27.200.199 103.27.200.199

Source: Joe Sandbox View

ASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH

Source: unknown

FTP traffic detected: 103.27.200.199:21 -> 192.168.2.4:49749 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 08:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmp	String found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: 84.102.13.0.in-addr.arpa

Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903800843.0000000002BBE000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.triplelink.co.th
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650605072.0000000002B31000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Y88576645635_03112021.PDF.exe, 00000004.00000002.658406658.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://tempuri.org/XXXXXXXXXXXXXXXXXXXXXXX.xsd
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.678715082.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.L
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.663167419.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.663058162.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com#
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666502735.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669031244.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.668835911.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.667638331.0000000005B47000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com2
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903096798.0000000001177000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comionm
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662492268.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.cg
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662492268.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662579211.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn4
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cne-d0
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662444137.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnp
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.675783220.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.675783220.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/%
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-es_
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-u
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, vbc.exe, 0000000B.00000002.699152607.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krnotm
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662151861.0000000005B4E000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krt
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669939773.0000000005B48000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000006.00000003.669797236.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666196255.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de6
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.669858103.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deF
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666502735.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deasu
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.666257144.0000000005B45000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deic
Source: Y88576645635_03112021.PDF.exe, 00000006.00000002.906936323.0000000005C90000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Y88576645635_03112021.PDF.exe, 00000006.00000003.662850878.0000000005B48000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnK
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650605072.0000000002B31000.00000004.00000001.sdmp, Y88576645635_03112021.PDF.exe, 00000004.00000002.659715727.0000000002F91000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: vbc.exe, 0000000B.00000003.699009463.000000000096E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Y88576645635_03112021.PDF.exe PID: 6316, type: MEMORY
Source: Yara match	File source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, Form1.cs

.Net Code: HookKeyboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 10_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

10_2_0040AC8A

Source: Y88576645635_03112021.PDF.exe, 00000000.00000002.650126431.0000000000F98000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.902253239.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.903358748.0000000002991000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.661841679.0000000003F99000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Y88576645635_03112021.PDF.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Y88576645635_03112021.PDF.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Y88576645635_03112021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Y88576645635_03112021.PDF.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Y88576645635_03112021.PDF.exe.4290590.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Y88576645635_03112021.PDF.exe.4455010.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Y88576645635_03112021.PDF.exe.4054130.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.Y88576645635_03112021.PDF.exe.29bb2fc.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Y88576645635_03112021.PDF.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 11_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

11_2_00408836

Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F821F0	0_2_00F821F0
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F8E630	0_2_00F8E630
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F81790	0_2_00F81790
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F80FE8	0_2_00F80FE8
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F85128	0_2_00F85128
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F85118	0_2_00F85118
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F80471	0_2_00F80471
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F85551	0_2_00F85551
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F85768	0_2_00F85768
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F81C70	0_2_00F81C70
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F83FA8	0_2_00F83FA8
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F83F98	0_2_00F83F98
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_00F80F41	0_2_00F80F41
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_0294D7C8	0_2_0294D7C8
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_02941750	0_2_02941750
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_0294A748	0_2_0294A748
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_029424A0	0_2_029424A0
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_0294FD18	0_2_0294FD18
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_02944511	0_2_02944511
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code function: 0_2_02944520	0_2_02944520
Source: C:\Users\user\Desktop\Y88576645635_03112021.PDF.exe	Code

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Y88576645635_03112021.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: